Skip to content
Member icon

App Privacy Notice

Welcome to our Privacy Notice!

We're thrilled that you're using our app, and we want to make sure you know how we process your personal data. This Notice outlines how we gather, store, use, and share your personal data when you use our app. It also explains your rights in relation to your personal data and how you can exercise them.

  1. Who we are

giffgaff Limited (‘‘we’’, ‘‘us’’, ‘‘our’’) is the data controller of your personal data and we are responsible for treating any personal data about you securely, fairly and lawfully.

When you use our mobile app, we collect information about you, your app experience and how you engage with us, our products and our ads for a variety of purposes, which we explain below. You and anyone else using the app are sometimes called “User(s)”.

This app is not intended for children and we do not knowingly collect data relating to children.

  1. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where identifying information has been removed (anonymous data).

We collect and process the below data directly from you when you download and use our app. We may combine this data with other information we hold about you for the purposes described in our general Privacy Policy. We have grouped this together as follows:

  • Identity data such as name, member ID, device identifier and other authentication information
  • Contact data such as billing address and telephone number
  • Financial data includes payment details and purchases or orders made by you
  • Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this app
  • Usage data includes information about how you use our app, feedback, your engagement with us and survey response

We also collect, use and share aggregated statistical data. Aggregated data derives from your personal data however will not directly or indirectly reveal your identity. For example, we may aggregate the usage data of our Users to calculate the percentage of Users accessing a specific app feature.

  1. How we use your personal data

We will use your personal data collected via the app in the following circumstances:

Purpose/activity

Type of data

Lawful basis for processing

To install the app and register you as a new app user

Identity

Contact

Technical

Your consent

To authenticate you

Identity

Contact

Technical

Our legitimate interests for secure and safe access to the app

To process in-app purchases, orders and payments

Identity

Contact

Financial

Technical

Performance of a contract with you

To manage our relationship with you including notifying you of changes to the app or services

Identity

Contact

Financial

Profile

Depending on the type of changes and notification:

Your consent

Performance of a contract with you

Necessary for our legitimate interests 

To send you marketing communications

Identity

Contact

Usage

Consent

To administer and protect our business and this app including troubleshooting, data analysis, security checks, and system testing

Identity

Contact

Technical

Financial

Usage

Necessary for our legitimate interests (for example, for network security and anti-fraud checks)

To measure and analyse the effectiveness of the advertising we serve you

Identity

Contact

Technical

Usage

Consent (where applicable, obtained via our cookie settings)

Necessary for our legitimate interests (to develop our products and services and grow our business).

To monitor trends so we can improve the App

Identity

Contact

Technical

Usage

Consent (where applicable, obtained via our cookie settings)

Necessary for our legitimate interests (to develop our products and services and grow our business).

To make recommendations to you about goods or services which may interest you

Identity

Contact

Technical

Usage

Necessary for our legitimate interests (to develop our products and services and grow our business).

To combine app information with other data we hold about from our own and third-party sources for reasons explained in our Privacy Policy on our website

Identity

Contact

Technical

Usage

As per above

To prepare anonymous statistical datasets about our member’s usage of the app for forecasting, service improvement and research purposes

Identity

Contact

Technical

Usage

Legitimate interests (to conduct research and analysis, including to produce statistical research and reports)
  1. How long we keep your data for

We’ll keep your information in line with our data retention policy, for example to help us comply with our legal and regulatory requirements and use it for legitimate purposes, such as managing your account, providing customer support, and developing our business products and services. The criteria we use to determine our retention periods include:

  • The duration of our relationship with you
  • Any recent engagements and correspondence you have had with us
  • Our legal obligations, such as contractual obligations and regulatory investigations
  • Our business needs and legitimate interests in improving our products and services for our members and growing our business

We may need to keep your information for longer if we need the information to comply with regulatory or legal requirements, detect or prevent crime, fraud and financial crime, respond to requests from authorities etc.

Where there is no need for us to keep the information, we destroy, delete or anonymise it.

  1. Keeping your data secure

giffgaff is committed to keeping your data secure. We use a variety of security technologies and measures to help protect your personal data from unauthorized access, use or disclosure. We implement procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

Although we take security seriously, the internet is not always a safe environment and we cannot therefore guarantee complete security of the information processed in our app and systems. In addition, we have no control over the security of our members’ personal applications and devices and have no responsibility for measures beyond our control.

To protect your account, we encourage you to:

  • enable MFA on your account. Members are presented with the "2 step verification" option when they log-in for the first time. You can manage the MFA option in the app by going to the "Account" tab and then choosing "Security" (please note that in some cases, this step will be mandatory and required by us to access a service),
  • use a strong password for our app, which is unique and different to the passwords you use for your emails, social media and other accounts,
  • never share your password or access to your account with anyone,
  • limit access to your computer and browser,
  • make sure your details are up to date so information we send you does not fall into the wrong hands (you can update your details online or by contacting us).
  1. With whom do we share your personal data

For the reasons detailed above, we share your information with

  • Service providers who provide us with support services, such as for research, IT infrastructure services, technology services, data analytics, data science, cloud services, payment service providers, information security, and advertising and marketing agencies.
  • our group companies, including VMED O2 UK Limited and its companies, our and their prospective partners, suppliers, agents and subcontractors where permitted or required by law.
  • authorities and regulators where we are required to do so, for example as part of criminal investigations.

We may need to share your personal data with some organisations based outside the United Kingdom. We grant these organisations access to personal data where necessary and where appropriate security measures and controls are in place to protect your personal data in accordance with applicable data protection laws, regulations and regulatory guidance. In particular:

  • If there is a decision under the UK data protection law that the country to which your personal data is transferred provides an adequate level of data protection (an adequacy decision by the UK Government).
  • Subject to the appropriate agreements with recipients such as the EU Standard Contractual Clauses or the relevant UK International Data Transfer Agreement.
  • Subject to other data transfer mechanisms permitted under applicable laws.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

  1. Information about your rights and how you can exercise them

Data protection law gives you various rights in relation to your personal data. Please note that we can only deal with requests to exercise these rights where they relate to personal data that we process as data controller. If you send us a request which relates to personal data processed by one or more of our partners as data controllers, you will need to contact the appropriate data controller. Under certain circumstances, you have the right to:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. In some cases, you can update your data directly via your account.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

(a) if you want us to establish the data's accuracy;

(b) where our use of the data is unlawful but you do not want us to erase it;

(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

(d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Finally, you have the right to make a complaint at any time to the Information Commissioner's Office (www.ico.org.uk), the UK regulator for data protection issues.

  1. Cookies & similar technologies

For information on the tracking technologies we place on our app, please see our Cookies Policy.

  1. Third-party links

The app may include links to third-party websites, plug-ins and applications or other webpages controlled by giffgaff and/or third parties. Clicking on those links or enabling those connections may allow us and/or third parties to collect or share data about you. If you visit other websites while you are using our app, please refer to the privacy and cookie policies of the respective sites

  1. How can I contact you?

If you would like more information about how we protect your information or would like to raise any data protection or privacy queries with us, including if you want to exercise any of your data subject rights in relation to your information, you can contact us:

  • if you are a member, by logging in to the giffgaff app, go to the "Help" tab and press "contact an agent"
  • f and using the "Ask a giffgaff Agent" option;
  • by emailing us at dpo@giffgaff.co.uk; or
  • by writing to us at:

Data Protection Officer
giffgaff Ltd
Belmont House
Belmont Road
Uxbridge
UB8 1HE

  1. Changes to the Notice

This version was last updated in July 2025. We may revise this Notice from time to time. If we make any material to the way we use these technologies or your personal data collected when you use our app, we will prominently update this Notice and other documents we may provide you from time to time.